Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Should a certificate be revoked before renew or reissue

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 786 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • john-lJ Offline
      john-l
      last edited by

      Hello everyone,

      I was going to renew a certificate and the following message appears at the top of the Renew or Reissue page:
      Renewing or reissuing a CA or certificate will replace the old entry. The old entry will be lost, and cannot be revoked after it has been replaced. Daemons known to be using this entry or one of its descendents will be restarted after the entry is replaced.

      Should a certificate be revoked before it is renewed or reissued?

      Thanks for any advice.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @john-l
        last edited by

        @john-l said in Should a certificate be revoked before renew or reissue:

        Should a certificate be revoked before it is renewed or reissued?

        No.
        'revoking' comes into play when you know some one 'stole' your private certificate files.

        Most often, the old files will get deleted or overwritten. They will expire anyway.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          The answer is "it depends".

          Renewing a certificate because the old one is about to expire? Then it's not worth revoking.

          Renewing a certificate because you increased its security (e.g. reducing the lifetime of a server cert), then perhaps it's a good idea.

          Reissuing a certificate because the user lost their laptop or phone that had the certificate on there? Definitely revoke it.

          Also just because you can't revoke the old one by clicking it in the GUI doesn't mean it can't be revoked entirely. If you keep a record of the old certificate serial number you can always revoke using that serial at a later time.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • john-lJ Offline
            john-l
            last edited by

            Thanks for your answers, very informative.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.